It is interesting to follow the evolution of this scam. The scam site always looks like a newspaper website (NBC, News Daily, etc.) with a legitimate news article, but they keep making small "improvements". Earlier this year, the scammers "borrowed" Facebook Like buttons to make it appear as though they had many supporters.

In the past two weeks, thousands of WordPress websites have been hijacked to redirect to online13workhome.com. New pages are added inside the /wp-includes/ directory:

http://crewing-russia.com/wp-includes/zaoedtis.php

http://nishikanttravels.com/images/gllsxayu.php

http://mitra-corp.com/wp-includes/kexohywj.php

http://aeflosangeles.com/wp-includes/bkpokbpc.php

http://logintofacebook.biz/wp-includes/hjgmmvsh.php

http://drhassanattia.com/wp-includes/zbfcbyom.php

http://sumittirathyatra.com/images/zypeeucx.php

etc.

The file names seem to be random and unique. Some of the hijacked websites are blacklisted by Google Safe Browsing, but the majority are not flagged and some of the websites have been cleaned up.

"Work from home" scam

Above is a spoof of the CNBC website. The page is well designed, with fake ads for CNBC Pro, summaries of fake articles on the elections, etc. They even use geo-localization to modify the title of the article to include the local city name: San Jose Mum...", "Atlanta Mum...".

JavaScript used for geo-localization

All the links redirect to www.realonlineincnow.com (currently down). Neither online13workhome.com nor realonlineincnow.com are currently blacklisted by Google Safe Browsing, but some of the hijacked sites leading to them are blocked by Google.